[Libvir] Virtual network iptables rules
Mark McLoughlin
markmc at redhat.com
Thu Apr 5 11:22:34 UTC 2007
On Thu, 2007-04-05 at 11:55 +0100, Daniel P. Berrange wrote:
> On Thu, Apr 05, 2007 at 11:38:42AM +0100, Richard W.M. Jones wrote:
> > Daniel P. Berrange wrote:
> > [...]
> >
> > >Scenario 2: Virtual network
> > >===========================
> > >
> > > net.bridge.bridge-nf-call-iptables = 1
> >
> > As far as I could tell, this case is exactly the same as scenario 1,
> > except PHYSIN is available.
>
> Yep, that is correct. The net.bridge.bridge-nf-call-iptables has a much
> more significant impact on scenario 4 with shared physical NICs, because
> with bridging to the physical NIC you'd ordinarily not hit iptables at
> all in many cases.
What's happening is that even though we're bridging here, we don't see
iptables being invoked as packets traversed the bridge here because it's
not actually traversing the bridge.
i.e. in that packet flow diagram, we go into the link layer, hit NAT
PREROUTING, but then the bridging decision sends us up to the routing
decision at the network layer before we can hit the FORWARD filter at
the link layer.
i.e. if instead of assigning an IP address to the bridge, we connected
a loopback device to the bridge and assigned the IP address to that,
then we would hit the link layer FORWARD filter even for the Guest->Host
case.
Cheers,
Mark.
More information about the libvir-list
mailing list